search

n4ru / 1vyrain

LiveUSB Bootable exploit chain to unlock all features of xx30 ThinkPad machines. WiFi Whitelist, Advanced Menu, Overclocking.
1.01k stars 65 forks source link

X131E Support Re-Openned #100

Open ghost opened 2 years ago

ghost commented 2 years ago

The new long form FAQ has instructions for testing compatibility on currently unsupported machines.

Originally posted by @n4ru in https://github.com/n4ru/1vyrain/issues/17#issuecomment-589507201

Hi, I got a spare x131e, and I am comfortable with ch341a and flashrom. Just a few clarifications so I could kick start the porting:

  1. What vulnerabilities are we looking at? (Specifically I want to determine the BIOS version suitable to kick start the testing - low enough for the patches to possibly work but not too low)

  2. The "patcher" binary - from UEFI Tools right?

  3. Should I dump a stock 4mb rom and patch it or should I patch the .fl1? (I am confused about the padding part, both should be 4mb right?)

I recall seeing 3 patches, even if just one of them works it will be great (the whitelist one) If it is successfull then I shall move on to patching the 8mb for battery whitelist.

digmorepaka commented 2 years ago

  1. PR0-3 region unlock, and an SMM region unlock I believe, when it says 'unlocked' you still need to try to rewrite the bios region because there's one that can still be locked and say 'unlocked'

  2. outdated, use the info in my repo https://github.com/digmorepaka/thinkpad-firmware-patches

  3. the 4M bios region is a part of the .FL1, you can extract it, https://thinkwiki.de/UEFI_BIOS_Update_with_a_Raspberry_Pi

Battery whitelist is EC, not UEFI or iME. I have no idea where the EC is stored on this model, on T/X/W (X131e is technically a ThinkPad Edge with it's system and mechanical setup) it's in the EC but lower end models with cheaper ECs can have it elsewhere

ghost commented 2 years ago

  1. PR0-3 region unlock, and an SMM region unlock I believe, when it says 'unlocked' you still need to try to rewrite the bios region because there's one that can still be locked and say 'unlocked'

  2. outdated, use the info in my repo https://github.com/digmorepaka/thinkpad-firmware-patches

  3. the 4M bios region is a part of the .FL1, you can extract it, https://thinkwiki.de/UEFI_BIOS_Update_with_a_Raspberry_Pi

Battery whitelist is EC, not UEFI or iME. I have no idea where the EC is stored on this model, on T/X/W (X131e is technically a ThinkPad Edge with it's system and mechanical setup) it's in the EC but lower end models with cheaper ECs can have it elsewhere

Probably on the 8mb chip, it's a similar 4+8mb set up, I corebooted it before.

Honestly I have zero idea what pro-3 is about but I will give it a read.

I'm wondering if I should patch the fl1 and flash with dosflash or the dumped rom and use ch341a because I foresee repeated rwing the rom chips (Im using flashrom in vbox, it's taking me more than 5 minute to even read the 4mb chip)

digmorepaka commented 2 years ago

I'm wondering if I should patch the fl1 and flash with dosflash

The entire reason this project exists is because this is no longer possible on xx30 unlike xx20 and older. You're welcome to try on the X131e but i highly doubt it will work.

ghost commented 2 years ago

08-03-22 Project Outline

  1. Find most reccent FL1 for which the patches work
  2. Apply patch and test via ch341a (If not develope new patches, if can't do this, then we shall end this)
  3. Determine most recent version for softflashing to work (1vyrain.iso)
digmorepaka commented 2 years ago

Find most reccent FL1 for which the patches work

3.01 which is the latest and likely final UEFI for this model.

ghost commented 2 years ago

Patch works as expected after flashing patch applied rom via ch341a: -pending detaileds- Next step: in system flashing with 1vyrain

digmorepaka commented 1 year ago

Any updates? Does version detection work correctly or is the dmidecode data in the different format just like L430?

kocoman2 commented 1 year ago

has anyone figure out how to unlock pr0? if I move the bios region to exclude it I get "bad crc of security settings in the", if I downgrade it too much I get "configuration changed - restart the system", if I clip the 4mb chip it always end up corrupted/transaction error when verify, that never gets written to the flash.. thx

ok I got it to work, using the 1.05 version.(where the S3 boot script explot still works).. (haven't try newer versions) using uefitool 28 delete the LenovoFlashProtectPei.efi (GUID) 53AC1948-0ED0-428A-B4DD-D2FFF2F5776F (I tried to patch it but it was a bit different than https://ch1p.io/thinkpad-xx20-unlock-spi/) so i deleted it in a last ditch try

Doing that will move the PR0 to PR4 (not sure why) (and still locked).. BUT then

then run the stuff on https://review.coreboot.org/plugins/gitiles/coreboot/+/refs/changes/66/36666/1/Documentation/mainboard/lenovo/ivb_internal_flashing.md (The address was the same for me also)

when it resume from sleep(via rtcwake or manually), all PR0-PR4 is zeroed

I am guessing because some code (I can't figure out which) cannot find the locked PR0 to reenable the lock on PR0 (since it was moved to PR4), then when S3 resumed the PR4 became empty..

If tried on 1vy iso I get success but the flashrom -p internal says error for some reason.. so you can try it both ways, the 36666 review one above or ivy..

finally solved

K4sum1 commented 11 months ago

Has anyone figured this out?

HolimaX commented 2 months ago

Bump?